Krebs fan creates new Trojan

August 21, 2017

Miner Trojans, which use computer resources to mine cryptocurrencies, have been around since 2011. In recent years, interest in such malicious programs has not waned among criminals, as is evidenced by the emergence of new programs of this type.

Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.

Linux.BtcMine.26 is yet another Miner Trojan for Linux devices. Its distribution scheme is similar to the infection mechanism of Linux.Mirai: cybercriminals connect to an attacked device using the Telnet protocol, after selecting the login and password, and then save the loader program on the device. Then, using a console command, they launch the loader from the terminal and Linux.BtcMine.26 is downloaded to the device.

An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, krebsonsecurity.com is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.

The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently Linux.BtcMine.26 builds are known to exist for the x86-64 and ARM hardware architectures. The following characteristic signs can reveal a miner is present: a decrease in device speed and an increase in heat emissions during device operation. The most reliable way to prevent devices from getting infected by such Trojans is to promptly change the default login and password. Complex passwords that cannot be compromised by a dictionary search are recommended. It is also recommended to place restrictions on any changes from being made to a device’s settings remotely when external connections are made to it.

The Linux.BtcMine.26 signature has been added to the Dr.Web for Linux anti-virus database so this Trojan does not pose a threat to our users.

Get Dr.Weblings
for participating in activities on our website

1 activity = 1 Dr.Webling

Rate

To vote, log in under your account or create an account if you don't have one yet.

Repost

Like

To get your award points, go to the news page when logged in under your Doctor Web account (or create an account). Your account must be linked with one of your social network accounts in order for you to receive award points for participating in our website activities.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.